HONEYPOTS

HONEYPOTS

Rather than try to block a hacker (with a firewall) or find a hacker (with an intrusion-detection system), some people prefer the more labor-intensive method of using a honeypot instead. A honeypot can serve two purposes. First, it can lure a hacker away from the important data on your computer and isolate the hacker from causing any damage. Second, a honeypot can allow you to study a hacker's methods and techniques so that you can better learn how certain attacks work and how you might be able to defend yourself against them in the future.

Honeypots typically run on a single computer that mimics the activity and breadth of an entire network, even down to emulating the details of a specific operating system, such as Linux, Windows, Mac OS, Solaris, or HP-UX. Although a honeypot looks and behaves just like a real network, it often offers several easily exploitable flaws to encourage the hackers to waste their time exploiting this fictional network.

To learn more about honeypots, visit the Honeynet Project (http://project.honeynet.org), which has been running honeypots and studying hacker techniques for years. The Distributed Honeypot Project (http://www.lucidic.net) plans to create a network of honeypots around the Internet so that system administrators can share the latest hacking techniques. For a list of different honeypots available, visit Talisker (http://www.networkintrusion.co.uk).

The friendly folks at Science Applications International Corporation (SAIC) (http://www.saic.com) have even set up a wireless honeypot near Washington, D.C., to learn the latest war-driving hacking techniques (see Chapter 11).

To learn about the various honeypots currently used by businesses, visit these sites:

Tiny Honeypot

http://www.alpinista.org/thp

NetFacade

http://www22.verizon.com/fns/netsec/fns_netsecurity_netfacade.html

Symantec ManTrap

http://www.symantec.com

The Deception Toolkit

http://www.all.net/dtk/download.html

Many honeypots are freeware and include source code so you can study how they work and even contribute some ideas of your own.

Because honeypots take time to set up and maintain, most individuals aren't likely to run a honeypot on their personal computer. If you have the time, though, you may want to try running a Trojan horse honeypot-the next time someone tries to access your computer using a remote access Trojan horse, your honeypot can trick the hacker into thinking he has secret access to your computer when he's really isolated from your data and you're watching his activities every step of the way (see Figure 18-3).